lists.arthurdejong.org
RSS feed

R: pwdReset problem in CentOS 7

[Date Prev][Date Next] [Thread Prev][Thread Next]

R: pwdReset problem in CentOS 7

One thing I forgot to mention.

I can avoid doing the myldap_search by setting pam_authc_search NONE. But I
read this could lead to security issues, mainly with empty password, because
some LDAP implementations require a search after bind to be sure the bind
was successful and not considered anonymous. I tried to ssh giving the emty
password, and logon is correctly denied. May I ask if the LDAP
implementations known to require the additional search after bind include
OpenLDAP?

Another question is that after logging in with pam_authc_search NONE, I am
immediately notified that the password must be changed, but the session is
closed. I would like to ask if there is some support for the user changing
their own password at this stage.
Just for clarity:

# ssh -l testuser localhost
testuser@localhost's password: 
Password must be changed
Authentication failed.

And the session is terminated.

Best regards, thank you, Luigi

> -----Messaggio originale-----
> Da: Luigi Iotti <luigi@iotti.biz>
> Inviato: lunedì 7 gennaio 2019 11:01
> A: 'nss-pam-ldapd-users@lists.arthurdejong.org' <nss-pam-ldapd-
> users@lists.arthurdejong.org>
> Oggetto: pwdReset problem in CentOS 7
> 
> Hi all
> 
> I'm trying to add pwdReset support to a small ldap directory of my users:
I
> would simply like my users to be forced to change their passwords the
first
> time they login via ssh, after the admin set the temporary password for
> them.
> My directory is implemented on CentOS 7 with openldap-2.4.44. I upgraded
> nss-pam-ldapd to 0.9.10 to better debug the problem I'm going to explain.
I
> recompiled the Fedora Rawhide rpm. I authenticate via PAM. The setup is
> rather standard: LDAP support was enabled by running the RH tool
> authconfig --enableldap --enableldapauth --ldapserver=127.0.0.1 --
> ldapbasedn="dc=test,dc=it" --enablemkhomedir --updateall .
> 
> As long as pwdReset is not used, or is FALSE, authentication is ok.
> When I set pwdReset to TRUE, authentication is always denied, and no
> password changing prompt is issued to the user.
> 
> I ran nslcd in debug mode. This is what happens when I type the password
> and press return to the ssh client I use for my tests:
> 
> nslcd: [a7c4c9] DEBUG: connection from pid=19574 uid=0 gid=0
> nslcd: [a7c4c9] <passwd="lux"> DEBUG:
> myldap_search(base="dc=test,dc=it",
> filter="(&(objectClass=posixAccount)(uid=lux))")
> nslcd: [a7c4c9] <passwd="lux"> DEBUG: ldap_result():
> uid=lux,ou=Tecnici,ou=People,dc=test,dc=it
> nslcd: [a7c4c9] <passwd="lux"> DEBUG: ldap_result(): end of results (1
total)
> nslcd: [68079a] DEBUG: connection from pid=19574 uid=0 gid=0
> nslcd: [68079a] <passwd="lux"> DEBUG:
> myldap_search(base="dc=test,dc=it",
> filter="(&(objectClass=posixAccount)(uid=lux))")
> nslcd: [68079a] <passwd="lux"> DEBUG: ldap_initialize(ldap://127.0.0.1/)
> nslcd: [68079a] <passwd="lux"> DEBUG: ldap_set_rebind_proc()
> nslcd: [68079a] <passwd="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [68079a] <passwd="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [68079a] <passwd="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [68079a] <passwd="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [68079a] <passwd="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [68079a] <passwd="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [68079a] <passwd="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [68079a] <passwd="lux"> DEBUG: ldap_simple_bind_s(NULL,NULL)
> (uri="ldap://127.0.0.1/";)
> nslcd: [68079a] <passwd="lux"> DEBUG: ldap_result():
> uid=lux,ou=Tecnici,ou=People,dc=test,dc=it
> nslcd: [68079a] <passwd="lux"> DEBUG: ldap_result(): end of results (1
total)
> nslcd: [6afb66] DEBUG: connection from pid=19574 uid=0 gid=0
> nslcd: [6afb66] <passwd="lux"> DEBUG:
> myldap_search(base="dc=test,dc=it",
> filter="(&(objectClass=posixAccount)(uid=lux))")
> nslcd: [6afb66] <passwd="lux"> DEBUG: ldap_result():
> uid=lux,ou=Tecnici,ou=People,dc=test,dc=it
> nslcd: [6afb66] <passwd="lux"> DEBUG: ldap_result(): end of results (1
total)
> nslcd: [e45d32] DEBUG: connection from pid=19574 uid=0 gid=0
> nslcd: [e45d32] <authc="lux"> DEBUG: nslcd_pam_authc("lux","sshd","***")
> nslcd: [e45d32] <authc="lux"> DEBUG: myldap_search(base="dc=test,dc=it",
> filter="(&(objectClass=posixAccount)(uid=lux))")
> nslcd: [e45d32] <authc="lux"> DEBUG: ldap_initialize(ldap://127.0.0.1/)
> nslcd: [e45d32] <authc="lux"> DEBUG: ldap_set_rebind_proc()
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [e45d32] <authc="lux"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [e45d32] <authc="lux"> DEBUG: ldap_simple_bind_s(NULL,NULL)
> (uri="ldap://127.0.0.1/";)
> nslcd: [e45d32] <authc="lux"> DEBUG: ldap_result():
> uid=lux,ou=Tecnici,ou=People,dc=test,dc=it
> nslcd: [e45d32] <authc="lux"> DEBUG:
> myldap_search(base="uid=lux,ou=Tecnici,ou=People,dc=test,dc=it",
> filter="(objectClass=*)")
> nslcd: [e45d32] <authc="lux"> DEBUG: ldap_initialize(ldap://127.0.0.1/)
> nslcd: [e45d32] <authc="lux"> DEBUG: ldap_set_rebind_proc()
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [e45d32] <authc="lux"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [e45d32] <authc="lux"> DEBUG:
> ldap_sasl_bind("uid=lux,ou=Tecnici,ou=People,dc=test,dc=it","***")
> (uri="ldap://127.0.0.1/";) (ppolicy=yes)
> nslcd: [e45d32] <authc="lux"> DEBUG: got
> LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed)
> nslcd: [e45d32] <authc="lux"> DEBUG:
> myldap_search(base="uid=lux,ou=Tecnici,ou=People,dc=test,dc=it",
> filter="(objectClass=*)")
> nslcd: [e45d32] <authc="lux"> ldap_result() failed: Insufficient access:
> Operations are restricted to bind/unbind/abandon/StartTLS/modify
> password
> nslcd: [e45d32] <authc="lux"> uid=lux,ou=Tecnici,ou=People,dc=test,dc=it:
> Insufficient access
> nslcd: [e45d32] <authc="lux"> uid=lux,ou=Tecnici,ou=People,dc=test,dc=it:
> Password must be changed
> nslcd: [e45d32] <authc="lux"> DEBUG: ldap_unbind()
> 
> It seems that after the sasl bind, a search is always preformed, but since
> pwdReset is true, this is not allowed.
> From what I can understand, this is independent from my ACL, which are
> default and are so:
> 
> olcAccess: {0}to attrs=userPassword,shadowLastChange by
> dn="cn=admin,dc=test  ,dc=it" write by anonymous auth by self write by *
> none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to * by dn="cn=admin,dc=test,dc=it" write by * read
> 
> Is there something I'm missing to be able to use pwdReset?
> 
> Thank you, Luigi
> 
> 
> 


-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/